GreyEnergy

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

GreyEnergy is a type of malware, or malicious software, designed to exploit and damage computer systems. It is believed to have been used in attacks on Ukraine's power grid in 2018 by the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. Security firm WithSecure has identified overlaps between GreyEnergy and another malware known as Kapeka, suggesting that they might be related. Similarly, conceptual similarities were found between GreyEnergy and its probable predecessor, BlackEnergy, which was also associated with Sandworm's cyber-attacks. The research suggests that Kapeka could be a successor to GreyEnergy, following a pattern of malware evolution within Sandworm's arsenal. Both GreyEnergy and Kapeka consist of a dropper component with an embedded main backdoor, allowing unauthorized access to infected systems. This speculation is further supported by the discovery of overlaps between Kapeka and the Prestige ransomware attacks, attributed to Sandworm, which targeted Ukraine in 2022. In conclusion, there is strong evidence pointing towards a connection between Kapeka, GreyEnergy, and the Sandworm APT group. While the two malware samples do not share the same source code, their conceptual overlaps and shared usage patterns suggest a lineage of development. This finding underscores the evolving threat posed by Sandworm and the importance of continued vigilance and research in cybersecurity.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Sandworm	4	Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
BlackEnergy	4	BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Ukraine

Ransomware

Apt

Backdoor

Dropper

Russia

Encryption

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Kapeka	is related to	3	Kapeka is a previously unknown backdoor malware that has been linked to the Russian Sandworm Advanced Persistent Threat (APT) group. As a malicious software, Kapeka is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without t
Prestige	Unspecified	2	Prestige is a type of malware attributed to the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. This malicious software was used in ransomware attacks against Ukrainian and Polish logistics companies in October 2022. The deployment of Prestige coincided with reported instances of ran
Prestige Ransomware	Unspecified	1	The Prestige ransomware is a type of malware that had not been observed by Microsoft prior to its deployment. It is a malicious software designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once inside a system, it can steal personal
NotPetya	Unspecified	1	NotPetya is a notorious malware that was unleashed in 2017, primarily targeting Ukraine but eventually impacting systems worldwide. This malicious software, which initially appeared to be ransomware, was later revealed to be data destructive malware, causing widespread disruption rather than seeking
Industroyer	Unspecified	1	Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the GreyEnergy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securityaffairs	3 months ago	Previously unknown Kapeka backdoor linked to Sandworm APT
DARKReading	3 months ago	Dangerous New ICS Malware Targets Orgs in Russia and Ukraine
BankInfoSecurity	3 months ago	Likely Sandworm Hackers Using Novel Backdoor 'Kapeka'
ESET	a year ago	RansomBoggs: New ransomware targeting Ukraine \| WeLiveSecurity